July 2016: The Month in Ransomware

As we continue to keep track of relevant events in ransomware, it’s time to provide a summary on the strains that surfaced or underwent noteworthy changes in July. Importantly, you will learn about decryptors released by security professionals and the promising international initiative called ‘No More Ransom.’

JULY 3, 2016

Alfa ransomware emerges

This infection appears to have the same origin as the infamous Trojan dubbed Cerber, which has been in the wild since March and accommodates a unique text-to-speech feature to intimidate victims. As opposed to its prototype, the new contrivance called Alfa, also referred to as the Alpha Ransomware, does not drop a VBScript version of ransom notes that generates a spooky audio. It appends the .bin extension to all scrambled files and provides ransom payment and recovery instructions in ‘Readme How to Decrypt Your Files.html’ document. The ransom amounts to 1 Bitcoin. Its encryption is unbreakable for now.

New variants of Apocalypse Ransomware decrypted

The Apocalypse plague isn’t new, but its authors keep coming up with spinoffs that attempt to get around the automatic decrypt tool devised by Fabian Wosar, a security researcher with Emsisoft. In early July, though, the analyst was able to update his decryptor, which now allows all Apocalypse Ransomware victims to restore their data for free. The latest iterations of this infection are concatenating the Where_my_files or .bleepYourFiles extensions to the encoded objects.

JULY 6, 2016

CryptXXX changes its name, again

Shortly after the nasty CryptXXX ransomware had started peddling a paid recovery solution called ‘UltraDeCrypter,’ its makers did another revamp of the offending program and modified the tool’s name to ‘Microsoft Decryptor.’ It’s unclear whether this is a marketing trick aimed at evoking more trust with victims, but the use of the reputable company’s good name seems to be becoming a trend with online extortionists.

Some other changes include the denominations of files containing ransom instructions (README.txt, README.html and README.bmp) as well as the new approach where filenames stay the same as before the attack with no extensions appended to them.

CryptoFinancial Ransomware comes on stage

The new CryptoFinancial infection is all about bluff and failure. Having performed its attack against a Windows machine, this breed states that the user’s data is encrypted and demands 0.2 Bitcoin to decrypt it. However, according to an in-depth analysis by the researcher nicknamed S!Ri, this ransomware simply obliterates one’s files and doesn’t encode them. To add insult to injury, it doesn’t provide any viable methods to make the data accessible again. So, consider your files lost if you fall victim to this glitched strain.

JULY 7, 2016

BitStak ransomware – better luck next time

This sample appends the .bitstak extension to encrypted data and isn’t the most complex piece of ransomware imaginable, to put it mildly. It was most likely created by script kiddies. The attackers’ unprofessional take on the implementation of cryptography has allowed Michael Gillespie, a security researcher who goes by the handle Demonslay335, to crack the crypto and craft a free decryption tool.

PizzaCrypts doesn’t “taste” so good

Creating ransom notes named ‘Pizzacrypts Info.txt’ and concatenating the .id-maestro@pizzacrypts.info extension to the ciphered items, this breed poses a high risk to victims as there is no way to decrypt it at this point. A peculiar characteristic of PizzaCrypts is that its circulation is backed by one of the most powerful exploit kits called Neutrino. Therefore, unpatched software on computers is the primary entry point for this ransom Trojan.

The comeback of PadCrypt ransomware

PadCrypt originally surfaced mid-February this year. It is not a run-of-the-mill sample because it features a live support chat option to interact with victims. Shortly after this extortion campaign was launched, it became dormant and stayed that way until July. The updated edition leverages AES-256 cryptosystem to lock files, appends .padcrypt to each one, and demands 0.8 Bitcoin for recovery.

JULY 9, 2016

Unlock92 Ransomware enhances its crypto

The file-encrypting infection called Unlock92 used to be decryptable. It primarily infects Russian-speaking audience and therefore displays warning messages in Russian, although there have been incidents where Windows users in other locations got hit. Unlock92 appends the .cccrrrppp extension to one’s skewed files. Unfortunately, a big update of this Trojan’s modus operandi as of July made it impossible to crack the encryption through retrieval of the secret key. The perpetrators started using the RSA-2048 algorithm, which is asymmetric and features higher entropy of the private key.

JULY 11, 2016

A copycat of the infamous CTB-Locker appears

CTB-Locker is one of the oldest plagues on the crypto ransomware arena. Its first samples were spotted in the wild back in 2014. As this campaign has been hitting the headlines heavily ever since, its ill fame has spawned multiple copycats. A recent one attempts to impersonate the notorious prototype but totally fails. Rather than encode its victims’ valuable files using the RSA public-private cryptosystem, it moves them into a ZIP archive protected by a password, so there’s a great deal of bluff in its alerts. Generally referred to as CTB-Faker, this strain asks for 0.08 Bitcoin to restore data. The recovery, however, is quite easy as long as a forensics expert looks into the issue.

ODCODC ransomware isn’t a hard nut to crack

The sample in question adds the .odcodc extension to jumbled files and drops ReadThis.txt ransom note onto an infected computer. The extension is preceded by an email address, most likely abennaki@india.com, so that victims can reach the attacker and get further decryption directions. Thankfully, a security enthusiast nicknamed BloodDolly was able to create a free decryption tool for this strain. Another big win in the ongoing cyber battle.

JULY 12, 2016

Xorist Ransomware tries to impersonate Cerber

A new edition of the Xorist Ransomware concatenates the .cerber extension to files, which is obviously an attempt to look like the widespread Cerber pest. Unlike the original ransomware, though, the copycat does not provide any links to a secret Tor page. Furthermore, it can be decrypted, courtesy of Fabian Wosar mentioned above.

JULY 13, 2016

A spike in WildFire Locker distribution

Security researchers associate the recent upswing in the propagation of WildFire Locker ransomware with the use of a powerful botnet dubbed Kelihos. This infection uses AES-256 cryptosystem, appends the .wflx string to tweaked filenames, and provides a decryption walkthrough in the file named HOW_TO_UNLOCK_README. Unfortunately, neither antimalware labs nor enthusiasts have come up with a way to restore data ciphered by this sample thus far.

Stampado – ransomware for sale

This is another example of the Ransomware-as-a-Service (RaaS) model in play. Wannabe cybercrooks can purchase their copy of this infection on black hat forums for as little as $39 and spread it as they deem appropriate. The malady employs an AES-256 algorithm to make files inaccessible and puts the .locked extension at the end of each one. Fortunately, Emsisoft’s Fabian Wosar made a decryptor for this Trojan before the campaign even moved into its active phase.

JULY 14, 2016

Keys giveaway by CryptXXX authors

The threat actors behind CryptXXX, one of the prevalent ransomware programs on the loose, began providing free private keys for some iterations of their infection. It’s unclear whether this is a glitch in their payment servers or a display of the attackers’ good will, but a lot of users were able to restore their data without submitting the ransom. This mostly applies to the editions of CryptXXX that append the .cryp1 and .crypz extensions to files.

JULY 18, 2016

Petya ransomware update rolled out

The cybercriminals behind Petya, a ransom Trojan that encrypts MBR (Master Boot Record) rather than individual files, have made their brainchild more sophisticated. A recent update involves improvements made to the implementation of the Salsa20 encryption standard. This change makes Petya an even harder threat to tackle once it’s on board.

JULY 19, 2016

Files encrypted by CryptXXX are no longer recognizable

The aforementioned CryptXXX plague has changed the way it handles encoded data. Whereas it used to leave filenames unaltered and only added new extensions, the latest edition completely jumbles filenames, turning them into strings of 32 hexadecimal characters. Furthermore, the extensions are now random, as well.

JULY 20, 2016

Out-of-the-ordinary HolyCrypt ransomware

What makes HolyCrypt special is that it’s written in Python programming language. Also, a peculiar compilation technique allows the malefactors to spread all components of the ransomware as one executable. This strain threatens victims to eliminate the private key unless the ransom is submitted within 24 hours.

JULY 21, 2016

Bart Ransomware decrypted

This cyber contagion has been cracked, courtesy of AVG analysts. Bart isn’t quite a crypto malware strain because it transfers its victim’s files to a ZIP archive. Restoring the data is a matter of entering a password to unlock this protected storage. This offending program appends the .bart.zip string to the original filenames. Fortunately, recovery is now doable with AVG Decryption Tool for Bart.

PowerWare infection mimics the Locky strain

Creating copycats is generally the norm of the ransomware terrain. The recently discovered sample dubbed PowerWare tries to impersonate Locky, a very widespread threat that hasn’t been cracked to date. The newbie uses the same .locky extension to mark the encrypted data. As opposed to the genuine ransomware, though, PowerWare isn’t nearly as professionally tailored and can be decrypted with Michael Gillespie’s free ad hoc tool.

JULY 25, 2016

CrypMIC ransomware discovered

CrypMIC continues the growing trend of impersonating other contagions. To its authors’ credit, the infection really bears a close resemblance to the ill-famed CryptXXX. The distribution vector via the Neutrino exploit kit, the look and feel of warning screens, the text of ransom notes, the size of the ransom, and the cryptosystem are shared by both. A few subtle differences, though, include the file naming format and the way these offending apps handle Shadow Copies of victims’ files.

Simple_Encoder goes the well-trodden route

There is nothing outstanding about the Simple_Encoder ransomware, also referred to as the Tilde virus. It leverages the Advanced Encryption Standard to deny the accessibility of data, appends the “.~” extension to the original filenames, and provides a restoration avenue in the form of _Recover_Instructions.ini document. Fortunately, AES is not the strongest known cryptosystem. Professionals can decrypt it. Infected users should post in a forum thread at Bleeping Computer, and experts will try to provide all the necessary assistance.

The No More Ransom Project launched

Ransomware victims can now report their incidents to the expert community via The No More Ransom Project page. This remarkable service has been set up by the dedicated Netherlands police unit, in collaboration with Kaspersky Lab, the European Cybercrime Center, and Intel Security. Infected people can use the page to get assistance identifying the ransomware that hit them and download decryption tools, if available.

JULY 26, 2016

Private keys for the Chimera Ransomware leaked

No matter what the motivation was behind releasing RSA keys for the Chimera Ransomware, the creators of Petya and Mischa strains who did this probably deserve some thumbs up. Specifically, the criminals released over 3000 private keys for the Trojan mentioned above, thus allowing numerous victims to decrypt their data.

Ransomware affiliate platform becomes readily available

Although the developers of Petya and Mischa ransomware certainly did a good job aiding Chimera ransomware victims, the rest of their deeds aren’t as commendable. In late July, they officially launched a Ransomware-as-a-Service system for interested parties to use and spread this combo of malicious applications. The platform called JANUS is hosted on Tor for anonymity reasons.

The unsuccessful Jager Ransomware

This new sample looks fancy on the outside, but its distribution didn’t last. The C2 server went down shortly after the campaign was launched. Whatever the reason is, that’s some good news to Windows users around the globe.

JULY 28, 20106

UYARI Trojan targets Turkish users

This infection is one of a kind as its potential victims’ base is restricted to the Turkish audience. First spotted by Michael Gillespie (Demonslay335), this ransomware concatenates the .locked extension to ciphered files, adds ransom notes in Turkish, and demands 2 Bitcoins for data decryption. Thankfully, researchers have found a way to circumvent its encryption and reinstate the scrambled files.

JULY 29, 2016

Anonymous-themed Jigsaw Ransomware spinoff

A new variant of the Jigsaw Ransomware, which is known for the use of popular Internet characters and movie themes in the backgrounds of its warning screens, now pretends to act on behalf of the Anonymous. This iteration appends the .xyz extension to all encrypted items and threatens to erase some files every hour until the victim pays $250 worth of Bitcoin. Fortunately, this sample can be decrypted for free.

Kaspersky helps restore files encrypted by Chimera ransomware

Kaspersky’s data recovery tool called RakhniDecryptor has been around for several months. It was recently updated to include the aforementioned database of private RSA keys for the Chimera infection released by a well-known cybercriminal group. About 3500 victims can, therefore, get their files back without having to cough up a penny.

Conclusion

It’s great to know that security organizations from the private sector and law enforcement agencies from different parts of the globe are working in tandem to combat the scourge of ransomware. However, the number of successful decryption cases is still negligible compared to the incidents where recovery efforts are futile. Under the circumstances, be sure to make backups of the data that matters the most.

About the Author:David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the www.Privacy-PC.com project, which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.

Editor’s Note:The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.